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The Examiner has rejected Claims 1-29 on the groiiad of nonstatutory 
obviousness-type double patenting as being unpatentable over Claims 1-29 of U.S. Patent 
No. 6,839,852. Applicant has submitted herewith a terminal disclaimer in order to 
overcome such rejection. 

The Examiner has rejected Claims 1-29 under 35 US.C. 1 12, first paragraph, as 
faiUng to comply with Rewritten description requirement SpecifioaUy, the Examiner 
has stated that Claims 1, 8-10, 19-22 and 23-25 ledtc a "subset of liie plurality of 
computers" and that Claims 25 recites a **similar phrase sent across the subset of the 
plurality of client computers" and that neither are described in &e specification- 
Applicant respectfully disagrees. 

Specifically, with respect to ^plicant's claimed "subset of the pluraHty of 
computers " applicant respectfully points out the following exceipts ftom page 8, line 19- 
page 9, line 21 in the specification; 

"As shown in Figure 3, network communications arc initially established with a 
plurality of computers with firewalls ovet a netwoik. See operation 302. . . . 
Once the communication is established, the information is collected from the 
firewalls of tiie computers utilizing the network in operation 302. . . . 
By way of example, if it is found that a large number of computers are the subject 
of the same port scans, this may be assumed to indicate intrusion activity. In 
another example, if a large number of computers receive an email with the phrase 
"OPEN ATTACHMENT" in tiie subject header, this too may be considered 
intrusion activity." 

Clearly, as noted from the excerpt above, collecting information from a plurality 
of computers, and identi^dng similar activity across a subset (e.g. fege number, etc.) of 
computers is indeed supported, hi addition, applicant respectfully points out lhat the 
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above cited excerpt from the specification clearly states that "if a large number of 
computers receive an email witli the phrase 'OPEN ATTACHMENT' in the subject 
header, this too may be considered inlrusion activity/* Thus, applicant's Claim 25 
requiring a technique * Vherein the similar intrusion activity includes an e-mail with a 
similar phrase scat across the subset of the plurality of client computers" is also clearly 
supported by the specification. 

The Examiner has rejected Claims 1-29 under 35 U.S-C. 1 12, second paragraph, 
as behig indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. Specifically, the Examiner has stated 
that the tenn "similat" in Clauns 1-3, 8-10, 19-22, 24 and 25 is a relative tenn which 
renders the claim indefinite. 

Applicant respectfully disagrees and points out page 9, lines 9-21 in flie 
specification, which states that *'the information may be analyzed for patterns that are 
iadicative of intmsion activity'' and that, for example, "if it is found that a large number 
of computers are the subject of the same pott scans, this may be assumed to mdicate 
intrusion activity*' or "if a large number of computers receive an email with the phrase 
'OPEN ATTACHMENT'" in the subject header, this too may be considered intrusion 
activity," Thus, apphcant's claimed "similar intrusion activity^' is not indefinite, since 
the specification clearly states that the information is analyzed for patterns indicative of 
intmsion activity, which is clearly an example of '^similar intrusion activity" 

The Examiner has maintained the rejection of Claims 1-29 under 35 U.S.C. 
102(b) as being anticipated by Conldin et al. (U.S, Patent No. 5,991,881). Applicant 
respectfiiUy disagrees with such rejection. 

Witii respect to independent Claims 1, 8-10 and 19-22, the Examiner has relied on 
the Summary and Col. 3, lines 37-43 et al. in Conklin to make a prior art showing of 
^plicMt's claimed "establishing network communications with a plurality of computes 
with firewalls over a network, wherein the firewalls are adapted for collecting 
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infonnation relating to iixtmsioii aotivity" (see the same or similar, but not necessarily 
identical language in each of the indep^dent claims). Applicant respectfully asserts that 
Conklm only discloses **Intrusion Detection portions of aNetwork Surveillance System.'* 
Apphcant further notes that Figure 4 of Conklin shows a single intrusion detection block 
in comnumication with an operating system of a single computer, and not "a plurality of 
computers with firewalls. " as specifically claimed by applicant (emphasis added). 

In the latest Office Action dated 2/7/2006, the Examiner has argued that Conklin 
discloses "a system and method for network surveillance and detection of attempted 
intrusionSj or intrusions, into the network and into computers connected to tfie network" 
Applicant respectfully asserts that Conklin only teaches a **Network Surveillance System 
[that] captures all traffic broadcast on the se^ent. . .[includingl the communications 
between Host A and Host C (see Col. 2, lines 48-50). to addition, Conklin teaches that 
the ^'Network Surveillance System operates through a computer, attached to the network" 
(CoL 3, hnes 44-46). However, applicant respectfully asserts that Figures 1-3 in Conklin 
cl^ly show the Network Surveillance unit being a single unit separate &om the hosts for 
which traffic is being captured, and that the Network Surveillance unit merely sits on a 
communication segment for capturing data transmitted on such segment. Thus, 
Conklin* s Network Surveillance system, which is separate fi:om such computers, cannot 
meet applicant's claimed ^' plurality of computers with firewalls over a network, wherein 
the firewalls are adapted for collecting information relating to intrusion activity" 
(enq>hasis added), in the context claimed. 

Still with respect to appHcant*s claimed "establishing network communications 
between a server computer and a pluiahty of client computers with firewalls over a 
network," the Examiner has also, in his latest response to remarks, relied on CoL 3, lines 
36-65 and Col. 4, lines 9-28 in Conklin to make a prior art showing of such claim 
language. Applicant again respectfully asserts that the Conklin excerpts fail to teach "a 
pluralily of client computers with firewalls," as claimed. As argued above, Conklin oxily 
discloses a Network Surveillance System that is separate torn the host computers and 
that collects data transmitted between the host computers. In fact» applicant points out 
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that as shown in Figures 1 and 2, the Network Surveillance System is located on an 
Ethernet segment and collects data transmitted on that Ethernet segment. Furthennore, as 
shown in Figure 3, the Networic Surveillance System is attached to a router, and not the 
host computere. Thus, clearly the cited Conklin excexpts do not meet applicant's claimed 
•^plurality of client computers with firewalls" (emphasis added), in the context claimed. 

In addition, the Examiner has relied on Col. 4, line 45-Col. 5, line 45 et al. to 
make aprior art showing of applicant's claimed technique **wherein Ihe firewalls are 
adapted for collecting information relating to intrusion activity, and include a list of 
trusted and h ^^'^?^ aHHtftflgftfl" (emphasis added). Applicant respectfully asserts that the 
only mention of addresses in such excerpts merely relates to developing network specific 
characteristics or facts, including "common destination/source address combinations." 
Further, only when network traffic is outside normal tolerances for such measured 
characteristics is action taken. Clearly, only maintaining data on common 
destination/source address combinations in order for such combinations to be compared 
against thresholds, as in Conklin, does not even suggest "a list of trusted and banned 
addresses," as applicant claims. 

With respect to independent Claim 1 et al,, the Examiner has relied on the 
Summary, CoL 4, lines 9-29 and CoL 5, lines 25-61 in Conklin to make a prior art 
showing of applicant's claimed technique **wherein the firewalls are adapted for 
preventing the similar intrusion activity across each of the plurality of oUent computers 
utilizing the response." As argue above, applicant respectfidly asserts that Conklin only 
teaches a single Network Surveillance System. Furthermore, such single unit consists of 
multiple components, as shown in Figure 6. In addition, Conklin discloses a ^'second 
logging function" of the Network Surveillance unit that "is used to hold all ensuing 
packets associated with. . .reportable activity. . .by any one of its identifiable 
characteristics'' (see CoL 5, lines 35-44). Thus, in Conklin, only tiie single Network 
Surveillance unit captures packets cormnunicated between client computers, which 
clearly does not meet ^plicant's claimed "firewalls [on the plurality of client computes 
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that] arc adapted for preventing the similar intrusion activity across each of the plurality 
of client computers utilizing the response," when read in context 

The Examiner is reminded that a claim is anticipated only if each and every 
element as set forth in the claim is found, either exgpressly or inherently described in a 
single prior art reference. Verdegaal Bros. v. Union Oil Co. Of California^ 814 F.2d 628, 
631, 2 USPQ2d 1051, 1053 (Fed. Cir. 1987), Moreover, the identical invention must be 
shown in as complete detail as contained in the claim. Richardson v. Suzuki Motor 
CoMS F,2d 1226, 1236, 9USPQ2d 1913, 1920 (Fed. Cir. 1989). The elements must be 
arranged as required by the claim. 

This criterion lias simply not been met by the Conklin refemice, as noted above. 
A notice of allowance or a specific prior art showing of each of the foregoing claimed 
features, in combination with the remaining claimed features, is respectfully requested. 

Thus, all of the independent claims are deemed allowable. Moreover, the 
remaining depend^t claims are further deemed allowable, in view of their dependence 
on such independent claims* 

In the event a telephone conversation would expedite the prosecution of this 
application, the Examiner may reach the undersigned at (408) 505-5100. The 
Commissioner is authorized to charge any additional fees or credit any overpayment to 
Deposit Accouirt No. 50-1351 (Order No. NAI1P095/02.014.01). ' 



P.O. Box 721 120 
SanJose,CA 95172-1120 
408-505-5100 




KeVmJ.Zilka 
Registration No. 41,429 
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